Cybersecurity threats to medical devices are a growing concern. The exploitation of cybersecurity vulnerabilities presents a potential risk to the safety and effectiveness of medical devices. As a result, the FDA has released draft guidance outlining important steps medical device manufacturers should take to continually address cybersecurity risks to keep patients safe and better protect the public health. Among the items detailed are recommendations for monitoring, identifying and addressing cyber security vulnerabilities in medical devices once they have entered the market. It also addresses the importance of information sharing via participation in an Information Sharing Analysis Organization), a collaborative group in which public and private sector members share cybersecurity information.
“All medical devices that use software and are connected to hospital and health care organizations’ networks have vulnerabilities—some we can proactively protect against, while others require vigilant monitoring and timely remediation,” stated Dr. Suzanne Schwartz, M.D., M.B.A., associate director for science and strategic partnerships and acting director of emergency preparedness/operations and medical countermeasures in the FDA’s Center for Devices and Radiological Health. “The draft guidance will build on the FDA’s existing efforts to safeguard patients from cyber threats by recommending medical device manufacturers continue to monitor and address cyber security issues while their product is on the market.”
According to the agency, critical components of such a program should include: Applying the 2014 NIST voluntary Framework for Improving Critical Infrastructure Cybersecurity, which includes the core principles of “Identify, Protect, Detect, Respond and Recover; “Monitoring cyber security information sources for identification and detection of cyber security vulnerabilities and risk; Understanding, assessing and detecting presence and impact of a vulnerability; Establishing and communicating processes for vulnerability intake and handling; Clearly defining essential clinical performance to develop mitigations that protect, respond and recover from the cyber security risk; Adopting a coordinated vulnerability disclosure policy and practice; and Deploying mitigations that address cybersecurity risk early and prior to exploitation.
The FDA encourages public comments on the draft guidance, which will be open for 90 days. The FDA will also discuss the guidance at its upcoming public workshop, “Moving Forward: Collaborative Approaches to Medical Device Cyber security,” January 20-21 at the FDA’s headquarters in Silver Spring, Maryland. The workshop will engage the multi-stakeholder community in focused discussions on unresolved gaps and challenges that have hampered progress in advancing medical device cyber security and identify specific solutions to addressing these issues moving forward.